How much should I spend on Cybersecurity?

{Hackers are winning the cyberwar and businesses are all too often simply hoping for the best, according to many security experts. }

Cost of Cybercrime in UK is £18-27bn … supposedly. This could actually be low, since many people do not discuss cybercrime. But if people are not discussing this crime because of embarrassment or other reasons (PR), then how can we actually tell what is really happening?

What can we actually attribute to real cybercime?

{He also alleges that some financial institutions have been compromised and have lost millions, but have kept this information under wraps. “In the past 10 years there has been at least one UK-based building society, which no longer exists, which lost about £50m to what was called a ghost transaction.}

There is very little hard data. and some cyber crime is attributed to potential IP crime (Intellectual Property)

The biggest threat is from organised gangs looking to steal data and IP from companies, which they can then exploit on the black market. The hackers are typically based overseas where authorities are less effective at preventing them.

Humanity is risk averse when it comes to gains and risk seeking when it comes to losses.

“Security is a tradeoff,” Schneier said, speaking to a packed audience at his RSA session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”

This is a very important concept to understand:

Humanity is risk averse when it comes to gains – the masses as a whole are risk averse if a choice of higher risk with higher gains versus lower risk and lower gains. we move to the lower risk choice.

Risk seeking when it comes to losses. (even to the point of most people do not wear bullet proof vests, including police officers) This means that when one has a choice of an action where one choice is to spend money and potentially lose something or spend less money and potentially lose more we will choose the 2nd one more often.

So coming back to the question: How much should we spend on cybersecurity?

I can’t really say “we” now, because as a cyber security professional I will spend more on it then you will, since I can’t get hacked period. I will spend whatever time and resources necessary so that my computers and websites are not hacked.

You or your peers do not fear or understand the true nature of the cyber challenges that we have. So my question is this:

How much should a non-IT pro spend on cybersecurity?

For me to answer this correctly, I want to go back to the regular world and spend a little time in stating how much we spend on physical security. For one, we spend a certain dollar amount on our physical locks and key systems. For computer rooms we spend money on keycards and security people watching cameras. So obviously a camera and the labor for the security person is reasonable even in areas where there is little if any crime.

Why hire security people, buy security cameras, biometric security devices… Etc? Will they be truly used once or twice to catch an actual criminal? Or is it part of the feeling of security that one wants for computer systems in a computer room?

image from bioenabletech.com

image from biometricdevices.blogspot.com

Biometric devices cost from $100 to $2000 and they have to integrate within a security system hardware/software combinations, so the cost will likely rise to several thousand dollars up to $10,000 with installation and training, but the reality is that an actual criminal will likely not attempt a physical attack on a computer room.

So should we make a comparison of potential security risks?

How accurate will the cybersecurity risk assessment be? On top of all of this the only real statistic is whether one gets breached or not.

The reason everyone is getting hacked is that no one sees anybody actually get breached except for the well publicized attacks. So no matter what I would conjecture here, your perception is what matters.

And now we get back to the psychology of humanity with risk seeking when it comes to losses. So the reality is you will discount the scares and potential security problems and take a chance if you think there is higher risk in doing nothing.

Now we know why most businesses will get hacked period. You have to go against the psychological grain to spend more money on security.